feat: Add unified sensor support for KAC and Lumos

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7
 	github.com/cert-manager/cert-manager v1.12.14
 	github.com/containers/image/v5 v5.31.1
-	github.com/crowdstrike/gofalcon v0.18.0
+	github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808
 	github.com/go-logr/logr v1.4.2
 	github.com/go-openapi/swag v0.23.0
 	github.com/google/go-cmp v0.6.0

go.sum

@@ -90,8 +90,8 @@ github.com/containers/storage v1.54.0 h1:xwYAlf6n9OnIlURQLLg3FYHbO74fQ/2W2N6EtQE
 github.com/containers/storage v1.54.0/go.mod h1:PlMOoinRrBSnhYODLxt4EXl0nmJt+X0kjG0Xdt9fMTw=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crowdstrike/gofalcon v0.18.0 h1:7B1N5nGGDYpb6RVorFQE0R4BSnZLst6YEYgC2F9Xl90=
-github.com/crowdstrike/gofalcon v0.18.0/go.mod h1:a12GB+md+hRSgVCb3Pv6CakeTIsDIUCIVWRlJelIhY0=
+github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808 h1:4u5t0ieUKpeKH59ZR7W6wGXuL0KsoE3hFliaQOJrmyA=
+github.com/crowdstrike/gofalcon v0.18.1-0.20251219213215-c969f34e7808/go.mod h1:a12GB+md+hRSgVCb3Pv6CakeTIsDIUCIVWRlJelIhY0=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=

internal/controller/admission/image_push.go

@@ -165,6 +165,17 @@ func (r *FalconAdmissionReconciler) imageUri(ctx context.Context, falconAdmissio
 		return "", fmt.Errorf("failed to set Falcon Admission Image version: %v", err)
 	}
 
+	if falconAdmission.Spec.Registry.Type == falconv1alpha1.RegistryTypeCrowdStrike {
+		semver := strings.Split(imageTag, "-")[0]
+		if !falcon_registry.IsMinimumUnifiedSensorVersion(semver, falcon.KacSensor) {
+			cloud, err := falconAdmission.Spec.FalconAPI.FalconCloudWithSecret(ctx, r.Reader, falconAdmission.Spec.FalconSecret)
+			if err != nil {
+				return "", err
+			}
+			registryUri = falcon.FalconContainerSensorImageURI(cloud, falcon.RegionedKacSensor)
+		}
+	}
+
 	return fmt.Sprintf("%s:%s", registryUri, imageTag), nil
 }
 

internal/controller/falcon_container/image_push.go

@@ -17,6 +17,7 @@ import (
 	"github.com/crowdstrike/falcon-operator/pkg/gcp"
 	"github.com/crowdstrike/falcon-operator/pkg/k8s_utils"
 	"github.com/crowdstrike/falcon-operator/pkg/registry/auth"
+	"github.com/crowdstrike/falcon-operator/pkg/registry/falcon_registry"
 	"github.com/crowdstrike/falcon-operator/pkg/registry/pushtoken"
 	"github.com/crowdstrike/gofalcon/falcon"
 	"github.com/go-logr/logr"
@@ -174,6 +175,17 @@ func (r *FalconContainerReconciler) imageUri(ctx context.Context, falconContaine
 		return "", fmt.Errorf("failed to set Falcon Container Image version: %v", err)
 	}
 
+	if falconContainer.Spec.Registry.Type == falconv1alpha1.RegistryTypeCrowdStrike {
+		semver := strings.Split(imageTag, "-")[0]
+		if !falcon_registry.IsMinimumUnifiedSensorVersion(semver, falcon.KacSensor) {
+			cloud, err := falconContainer.Spec.FalconAPI.FalconCloudWithSecret(ctx, r.Reader, falconContainer.Spec.FalconSecret)
+			if err != nil {
+				return "", err
+			}
+			registryUri = falcon.FalconContainerSensorImageURI(cloud, falcon.RegionedSidecarSensor)
+		}
+	}
+
 	return fmt.Sprintf("%s:%s", registryUri, imageTag), nil
 }
 

pkg/node/config_cache.go

@@ -122,7 +122,7 @@ func (cc *ConfigCache) getFalconImage(ctx context.Context, nodesensor *falconv1a
 	} else {
 		imageUri = falcon_registry.ImageURINode(cloud)
 		if nodesensor.Status.Sensor != nil {
-			if falcon_registry.IsMinimumUnifiedSensorVersion(strings.Split(*nodesensor.Status.Sensor, "-")[0]) {
+			if falcon_registry.IsMinimumUnifiedSensorVersion(strings.Split(*nodesensor.Status.Sensor, "-")[0], falcon.NodeSensor) {
 				imageUri = falcon_registry.UnifiedImageURINode(cloud)
 			}
 		}

pkg/registry/falcon_registry/container.go

@@ -5,15 +5,24 @@ import (
 	"strings"
 
 	"github.com/crowdstrike/gofalcon/falcon"
+	"golang.org/x/mod/semver"
+)
+
+const (
+	MinimumUnifiedNodeSensorVersion    = "7.31.0"
+	MinimumUnifiedKacSensorVersion     = "7.33.0"
+	MinimumUnifiedSidecarSensorVersion = "7.33.0"
 )
 
 func (reg *FalconRegistry) LastContainerTag(ctx context.Context, sensorType falcon.SensorType, versionRequested *string) (string, error) {
+	var tag string
+
 	systemContext, err := reg.systemContext()
 	if err != nil {
 		return "", err
 	}
 
-	return lastTag(ctx, systemContext, reg.imageUriContainer(sensorType), func(tag string) bool {
+	regionedFilter := func(tag string) bool {
 		tagContains := ".container"
 		if sensorType == falcon.ImageSensor || sensorType == falcon.KacSensor {
 			tagContains = ""
@@ -22,9 +31,44 @@ func (reg *FalconRegistry) LastContainerTag(ctx context.Context, sensorType falc
 		return (tag[0] >= '0' && tag[0] <= '9' &&
 			strings.Contains(tag, tagContains) &&
 			(versionRequested == nil || strings.HasPrefix(tag, *versionRequested)))
-	})
+	}
+
+	unifiedFilter := func(tag string) bool {
+		return (tag[0] >= '0' && tag[0] <= '9' &&
+			(versionRequested == nil || strings.HasPrefix(tag, *versionRequested)))
+	}
+
+	switch sensorType {
+	case falcon.KacSensor:
+		tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.KacSensor), unifiedFilter)
+		if err != nil {
+			tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.RegionedKacSensor), regionedFilter)
+		}
+	case falcon.SidecarSensor:
+		tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.SidecarSensor), unifiedFilter)
+		if err != nil {
+			tag, err = lastTag(ctx, systemContext, falcon.FalconContainerSensorImageURI(reg.falconCloud, falcon.RegionedSidecarSensor), regionedFilter)
+		}
+	default:
+		tag, err = lastTag(ctx, systemContext, reg.imageUriContainer(sensorType), regionedFilter)
+	}
+
+	return tag, err
 }
 
 func (fr *FalconRegistry) imageUriContainer(sensorType falcon.SensorType) string {
 	return falcon.FalconContainerSensorImageURI(fr.falconCloud, sensorType)
 }
+
+func IsMinimumUnifiedSensorVersion(version string, sensorType falcon.SensorType) bool {
+	switch sensorType {
+	case falcon.NodeSensor:
+		return semver.Compare("v"+version, "v"+MinimumUnifiedNodeSensorVersion) >= 0
+	case falcon.KacSensor:
+		return semver.Compare("v"+version, "v"+MinimumUnifiedKacSensorVersion) >= 0
+	case falcon.SidecarSensor:
+		return semver.Compare("v"+version, "v"+MinimumUnifiedSidecarSensorVersion) >= 0
+	}
+
+	return false
+}

pkg/registry/falcon_registry/node.go

@@ -6,11 +6,6 @@ import (
 	"strings"
 
 	"github.com/crowdstrike/gofalcon/falcon"
-	"golang.org/x/mod/semver"
-)
-
-const (
-	MinimumUnifiedSensorVersion = "7.31.0"
 )
 
 func (reg *FalconRegistry) LastNodeTag(ctx context.Context, versionRequested *string) (string, error) {
@@ -52,7 +47,3 @@ func UnifiedImageURINode(falconCloud falcon.CloudType) string {
 func CrowdstrikeRepoOverride(falconCloud falcon.CloudType, repoOverride string) string {
 	return fmt.Sprintf("%s/%s", registryFQDN(falconCloud), repoOverride)
 }
-
-func IsMinimumUnifiedSensorVersion(version string) bool {
-	return semver.Compare("v"+version, "v"+MinimumUnifiedSensorVersion) >= 0
-}